Healthcare organizations are required to protect electronic protected health information (ePHI), such as electronic health records, from various internal and external risks [1]. Safeguards must be in place even when emailing ePHI. One challenge is that conventional emails and services do not have what it takes to meet HIPAA compliance. Also, it is not as simple as encrypting email content. There is much more to it.

The Technical Safeguards in HIPAA addresses protection of ePHI. The Security Rule defines technical safeguards in § 164.304 as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” There are 5 standards. With EPRIVO you could meet HIPAA ePHI compliance even in emails you send containing ePHI.  EPRIVO has all necessary security and controls for HIPAA.  See below how each applies with EPRIVO.

1.    Access Control
2.    Audit Controls
3.    Integrity
4.    Authentication
5.    Transmission Security

#1: Access Control on a need-to-use basis. The Security Rule defines access in § 164.304 as “the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in subpart E of this part [the HIPAA Privacy Rule]).” Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of § 164.308(a)(4), the Information Access Management standard under the Administrative Safeguards section of the Rule.

·       Unique User Identification to track and limit their activity.
>>  You will need to login to your EPRIVO app so only people with EPRIVO accounts set up can send EPRIVO private emails. Each user has a unique EPRIVO ID. Each EPRIVO email also has a unique message ID.
 
·       Emergency Access Procedure to obtain necessary ePHI if needed.
>>  Access to emails is always possible on multiple devices (including mobile devices) after authentication. 

·       Ability to terminate a session after a set time of inactivity.
>>  EPRIVO apps have a secure session that expires automatically after certain time if no activity is detected, thereby locking the app and making it confidential.
 
·       Confidentiality support for ePHI even at rest and transit.
>>  EPRIVO emails are fully encrypted and cannot be accessed in the cloud. Only with proper authentication in the EPRIVO app can emails be accessed/read. Email confidentiality can be fully provided in the cloud including all metadata on a per email basis. Sender information, subject line, etc. can be confidential. EPRIVO emails are also encrypted in your devices at rest. EPRIVO service does not store emails and has no access to your email content. 
 
#2: The Audit Controls standard requires a covered entity to: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
>> EPRIVO emails are encrypted and not accessible in the cloud, but are only accessible in EPRIVO application (available on iOS, MacOS, Android, with Windows forthcoming). One can list/see all emails sent. Information is there to track all activity. There are separate folders for expired emails, recalled emails, etc. One can also see when last time communication occurred and other information.
 
#3: Integrity is defined in the Security Rule, at § 164.304, as “the property that data or information have not been altered or destroyed in an unauthorized manner.” Protecting the integrity of ePHI is a primary goal of the Security Rule.
>> Any alteration to EPRIVO emails would render the emails inaccessible due to built-in integrity checks and encryption. One has also the option to use Physical Separation (see settings in the app) that adds physical security in addition to digital security – meaning that no provider ever has access to even encrypted content fully.

#4: Authentication serves to verify an individual’s access to ePHI. This can include passwords, smartcard, token, keycards and biometrics.“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
>> EPRIVO emails cannot be forwarded if No Forwarding is set. Access to EPRIVO private emails is authenticated through the app and service. Recipient must login and authenticate every time to access his/her emails. At the sender, only the person with EPRIVO account who sent the email can have access after authentication with password or biometrics. Two-factor authentication is available in EPRIVO. It requires users to provide at least one additional form of identification beyond user name and password. All emails remain confidential in the cloud and your devices as well as recipients’ devices. Emails can even expire. 

#5: Transmission Security states that ePHI must be guarded from unauthorized access while in transit. Per the HPAA text: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
>> All communication within EPRIVO service is encrypted. All email content is encrypted: subject, from address, metadata etc. can also be made confidential in the cloud on a per email basis when you compose and send EPRIVO private email. All ePHI will be always encrypted in EPRIVO private emails.

Download EPRIVO Encrypted Private Email App for free. EPRIVO works with your existing email address, and allows you to privatize old emails from any email account.

References

  1. HIPAA Technical Safeguards: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf?language=es
  2. TrueVault. https://www.truevault.com/blog/how-does-data-de-identification-work